CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

30 lines
758 B
YAML
Raw Blame History

title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
author: Florian Roth (rule), Adam Bradbury (idea)
date: 2019/06/02
description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable
to CVE-2019-0708 RDP RCE aka BlueKeep
detection:
SELECTION_1:
EventID: 4625
SELECTION_2:
TargetUserName: AAAAAAA
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unlikely
id: 8400629e-79a9-4737-b387-5db940ab2367
level: critical
logsource:
product: windows
service: security
modified: 2021/11/12
references:
- https://twitter.com/AdamTheAnalyst/status/1134394070045003776
- https://github.com/zerosum0x0/CVE-2019-0708
status: experimental
tags:
- attack.lateral_movement
- attack.t1210
- car.2013-07-002
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink